STIG Compliance in GigaVUE-FM

A newly installed GigaVUE-FM contains several enhancements which significantly improve the STIG compliance of a new GigaVUE-FM instance. These enhancements are part of the default configuration. Key features include enhanced authentication, access controls, and encryption protocols.

The version of the STIG used is DISA STIG for Red Hat Enterprise Linux 8 V2R2.

These enhancements are designed to strengthen the security and reliability of GigaVUE-FM, ensuring that it meets stringent government and industry standards.

The following table lists the changes that directly impact the GigaVUE‑FM CLI:

Rule ID

Changes made in GigaVUE‑FM

SV-230295r1017106_rule

/tmp has been moved from the root filesystem into a separate filesystem. This change helps to preserve the integrity of the root filesystem.

SV-230513r958804_rule

Since /tmp is now a filesystem, the noexec mount option is set on the /tmp filesystem.

SV-237643r1050789_rule

Re-authentication is now required every time the sudo command is executed.

SRG-OS-000480-GPOS-00227

The setup procedure for authentication now uses the authselect tool and its sssd profile.

SV-230343r1017155_rule
SV-230333r1017145_rule
SV-230345r1017157_rule
SV-230338r1017150_rule
SV-230339r1017151_rule
SV-230334r1017146_rule
SV-230335r1017147_rule
SV-230340r1017152_rule
SV-230341r1017153_rule
SV-230336r1017148_rule
SV-230337r1017149_rule

The GigaVUE-FM CLI’s behavior when an attempt at password authentication fails has been modified. Specifically, the CLI admin login will be locked for 10 minutes if there are three failed login attempts in a 15-minute window. After 10 minutes, the admin login is automatically unlocked. This 10-minute lock period was 5 minutes in previous GigaVUE-FM releases.

SV-230359r1017171_rule
SV-230377r1017188_rule
SV-230363r1017175_rule
SV-230358r1017170_rule
SV-230360r1017172_rule
SV-230361r1017173_rule
SV-230362r1017174_rule
SV-230369r1017181_rule
SV-230375r1017187_rule
SV-230356r982195_rule
SV-251713r1017366_rule
SV-251716r1017369_rule
SV-230357r1017169_rule

Password complexity rules have been changed to provide a more secure password authentication experience. Specifically, to satisfy the following conditions:

o The cracklib dictionary is now used to screen well-known passwords so they can be rejected.
o At least eight of the characters used in a new password must not be present in the new password.
o The maximum run of repeated characters in a password must not exceed three.
o At least one character from each of the following categories must be present in a password: upper-case, lower-case, numeric and special. The minimum length of the password is 14.

SV-230366r1038967_rule

The CLI admin password must be changed every 60 days.

SV-230378r1017189_rule

There is now a four second delay after password authentication fails. In previous GigaVUE‑FM releases, the delay was three seconds.

SV-230346r1017159_rule

The maximum number of simultaneous admin users' CLI logins is now explicitly set to ten.

SV-230383r1017192_rule
SV-230385r1017194_rule
SV-230384r1017193_rule

The default unmask for the CLI admin user is explicitly set to 077.

SV-230485r1017269_rule

The chrony service is configured to operate strictly in a client-only mode.

Recommended STIG Compliance

The following table lists the additional changes that can be made further to increase the STIG compliance of an GigaVUE-FM instance:

Rule ID

Recommended Changes
xccdf_org.ssgproject.content_rule_banner_etc_issue

A generic /etc/issue is the default message is the default. Simple editing /etc/issue and replacing its contents with /etc/issue.stig will provide the required text and increase the STIG score.
xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

STIG requires a minimum password length of 15 characters. This is a disruptive change for Gigamon deployments since they have all enforced a 14- character minimum length for several years. Edit the file /etc/security/pwquality.conf and change the value 14 to 15 on the minlen line.
xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs

The STIG requires a minimum password length of 15 characters. This is a disruptive change for Gigamon deployments since they have all enforced a 14 character minimum length for several years. Edit the file /etc/login.defs and change the value 14 to 15 on the PASS_MIN_LEN line.
xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs

Increased hashing rounds make password cracking attacks more difficult, but the impact of the STIG required values on system performance may be excessive. To increase the STIG results, edit /etc/login.defs and replace the line that says SHA_CRYPT_MAX_ROUNDS with the following two lines:

o SHA_CRYPT_MIN_ROUNDS 100000
SHA_CRYPT_MAX_ROUNDS 100000
o xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost

Configure rsyslog to send syslog messages to your environment specific log server.

xccdf_org.ssgproject.content_rule_service_usbguard_enabled


Enable the usbguard.service system service to prevent anyone from attaching a USB device to your system. Run this command: sudo systemctl enable usbguard.service